The software supply chain is a vast, global landscape made up of a complicated web of interconnected software producers and consumers. As such, it comes with numerous risks and vulnerabilities that affect all software–including those from third parties and outside vendors. These risks include everything from code vulnerabilities and open-source code repositories to hijacked software updates, insecure connected devices, overprivileged access to resources across the supply chain, and more.
However, many software supply chain vulnerabilities occur because most software is not written from scratch. Instead, developers often rely on open-source code to scale software production. As many as 96% of applications contain at least one open-source component, and 78% of businesses report using open-source software as part of their network. And while this trend is integral in advancing business productivity, it also highlights the importance of creating a secure software supply chain.
Read on to learn what steps your developers can take to better secure software production and consumption throughout the software development lifecycle (SDLC).
How software supply chain attacks are shifting left
Supply chain attacks typically involve multiple components and can evolve rapidly depending on the attack vector or entry point used. Cybercriminals often start with an initial compromise in hopes of eventually impacting a downstream consumer.
For example, a threat group might instigate a software supply chain attack by compromising a popular open-source component. As developers around the world implement this new code, they unknowingly ingest a malicious or backdoored package. Attackers then use this compromise to gain privileged, persistent access into the network. From there, they can enact damage such as data or financial theft, monitoring activity within the network, disabling critical systems, and more.
We’re also seeing a growing trend in which attackers are shifting left earlier on in the SDLC. This is because software supply chain attacks are primarily targeted at developers and the systems that they use. This approach can be seen in past incidents like Solorigate and 3CX.
So, what can organizations do to guard against this shift left and secure their software supply chain moving forward?
4 strategies for more secure software supply chains
As attackers continue shifting left, your organization and supporting software must do the same. Ensuring a built-in security approach through the safe production and consumption of software early on in the SDLC can help organizations shift left, increasing security and limiting the risk of compromise. Following are four strategies you can use to create a more secure SDLC.
Implement the Microsoft Security Development Lifecycle (SDL): Given the complexity of the modern threat landscape, it’s imperative companies build security into their applications and services from the ground up. This means that security and privacy must be considered throughout all development phases. Microsoft’s SDL helps ensure developers build highly secure software and address security compliance requirements while also reducing development costs. The SDL provides guidance and requirements to perform threat modeling and penetration testing, define standard security features and requirements, inventory third-party components, establish an incident response plan, and more.
Engage in cross-industry collaboration: Because open-source code plays such a dominant role in software development, it’s critical that organizations partner with groups like the Open Source Security Foundation (OpenSSF). Working with these groups allows businesses to help protect developers from accidentally consuming malicious and compromised packages. It can also mitigate supply chain attacks by decreasing consumption-based attack surfaces. One example is S2C2F, a subset of OpenSSF’s Supply Chain Integrity Working Group. When paired with a producer-focused, artifact-oriented framework, S2C2F helps development teams and organizations implement comprehensive security controls for building and consuming software securely.
Secure the access layer: Zero Trust is more than just identity, devices, and access. It can act as the founding principles to secure developers, including phish-resistant Multi-Factor Authentication (MFA), conditional access policies, the principle of least privilege, user access reviews, and Just in Time (JIT) permission controls for admin-level tasks. Adopting these more stringent policies is key to reducing your attack surface and preventing initial compromise.
Monitor your DevOps platform: Organizations also need to think beyond preventative controls and consider more proactive measures like detection and response. This can include using analytics to monitor for anomalous behavior such as tampered source controls, build environments, and release systems. Once these indicators of compromise (IOCs) are detected, they can be immediately triaged for response actions. The quicker your response, the sooner you can evict bad actors from your environment.
While the software supply chain can be difficult to navigate and complex to secure, businesses can partner with leading security organizations to implement best practices and holistically safeguard their environment.
For more information on Microsoft’s work to secure the software supply chain, visit the Microsoft Built-In Security website.
Security